Introduction to SSL Network Extender (SNX)
SSL Network Extender is a thin client that remote users use to access internal resources that the administrator defines as applications.
SNX can work with the Mobile Access
Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. or the IPsec VPN Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access. Software Blade.
The IPsec VPN Software Blade and the Mobile Access Software Blade require different licenses.
Workflow:
-
The administrator configures a Security Gateway
Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. as an SSL-enabled web server that supports Remote Access clients. -
The remote user downloads the SNX client from the Security Gateway.
-
The remote user can access internal resources.
In a Mobile Access Software Blade configuration, the remote user can access configured applications.
Comparison of SNX supported features with the Mobile Access Software Blade and the IPsec VPN Software Blade
|
Type of SNX |
End User Experience |
Supported Access Control Rules |
Supported Operating Systems |
|---|---|---|---|
|
SNX with Mobile Access Software Blade |
The Mobile Access Portal downloads SNX from the Security Gateway automatically. |
Supports Access Control rules in SmartConsole
|
Supported only with Mobile Access Portal. CLI is not supported. |
|
SNX with Remote Access VPN Software Blade |
Users download SNX from a Security Gateway portal. |
Supports Access Control rules in SmartConsole based on:
|
|
If the Mobile Access Software Blade is enabled on the Security Gateway:
-
SNX works through Mobile Access only.
-
You must configure the Mobile Access policy:
-
Management Server
Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. R81.20 and lower:In SmartConsole > Manage & Settings view > click Blades > in the section Mobile Access, click Configure in SmartDashboard > tab Mobile Access > click the page Policy.
-
If the Mobile Access Software Blade is disabled and the IPsec VPN Software Blade is enabled on the Security Gateway:
-
SNX works through the IPsec VPN Software Blade.
-
You must configure the Access Control Policy in SmartConsole.
|
|
Important - If you configured the SSL Network Extender settings in the Security Gateway for the IPsec VPN Software Blade, and then you enabled the Mobile Access Software Blade, then you must reconfigure the required rules in the Mobile Access policy.The SSL Network Extender rules in the Access Control Policy do not apply anymore. |
SNX Modes for Mobile Access Portal on an Endpoint Computer with Windows OS
SNX for Mobile Access supports Network Mode and Application Mode.
|
Category |
Network Mode |
Application Mode |
|---|---|---|
|
Supported application types |
All Native IP-based applications and web applications |
Most Native IP-based applications and web applications are supported. OPSEC-certified applications are tested and verified UDP-based applications are not supported. |
|
Supported web browsers on the client computer |
|
|
|
Required privileges on the client computer |
Administrator privileges required on the client computer |
Administrator privileges not required on the client computer |
|
How remote users open the application |
Remote users can open applications in the Mobile Access portal or on the desktop of the endpoint computer. |
Remote users can open applications only in the Mobile Access Portal. An application that is not supported in Application Mode does not appear in the Mobile Access Portal. |
|
|
Note - Some Anti-Virus |
Downloading SNX for Mobile Access or Remote Access VPN
|
Software Blade |
Endpoint Computer Operating System |
How to Download SNX |
|---|---|---|
|
Mobile Access |
Windows, Linux, or macOS |
The endpoint computer automatically downloads SNX as a desktop application from the Mobile Access Portal. |
|
Remote Access VPN |
Windows |
The endpoint computer automatically downloads SNX as a desktop application from the Remote Access VPN portal. |
|
Remote Access VPN |
Linux or macOS |
You must download SNX manually as a command line application. See Basic Configuration of SSL Network Extender for Remote Access VPN. |
Commonly Used Concepts
These are commonly used concepts that you encounter when working with the SSL Network Extender:
Remote Access VPN
Refers to remote users accessing the network with client software such as Endpoint VPN clients, SSL clients, or third party IPsec clients.
The Security Gateway provides a Remote Access VPN Service to the remote clients.
Remote Access Community
A Remote Access Community, a Check Point concept, is a type of VPN community created specifically for users that usually work from remote locations, outside of the corporate LAN.
Office Mode
Office Mode is a Check Point remote access VPN solution feature. It enables a Security Gateway to assign a remote client an IP address.
This IP address is used only internally for secure encapsulated communication with the home network, and therefore is not visible in the public network.
The assignment takes place once the user connects and authenticates.
The assignment lease is renewed as long as the user is connected.
The address may be taken either from a general IP address pool, or from an IP address pool specified per user group, using a configuration file.
Visitor Mode
Visitor Mode is a Check Point remote access VPN solution feature. It enables tunneling of all Client-to-Security Gateway communication through a regular TCP connection on port 443.
Visitor mode is designed as a solution for firewalls and Proxy servers that are configured to block IPsec connectivity.